publish updates from main (#22606)

Automated pull request for publishing docs updates.

---------

Signed-off-by: Rob Murray <[email protected]>
Signed-off-by: Cesar Talledo <[email protected]>
Co-authored-by: Rob Murray <[email protected]>
Co-authored-by: Sebastiaan van Stijn <[email protected]>
Co-authored-by: Allie Sadler <[email protected]>
Co-authored-by: Sarah Sanders <[email protected]>
Co-authored-by: Cesar Talledo <[email protected]>

Author: 5 people

content/manuals/desktop/features/dev-box.md

@@ -0,0 +1,55 @@
+---
+Title: Docker Desktop in Microsoft Dev Box
+description: Learn about the benefits of and  how to setup Docker Desktop in Microsoft Dev Box
+keywords: desktop, docker, windows, microsoft dev box
+---
+
+Docker Desktop is available as a pre-configured image in the Microsoft Azure Marketplace for use with Microsoft Dev Box, allowing developers to quickly set up consistent development environments in the cloud.
+
+Microsoft Dev Box provides cloud-based, pre-configured developer workstations that allow you to code, build, and test applications without configuring a local development environment. The Docker Desktop image for Microsoft Dev Box comes with Docker Desktop and its dependencies pre-installed, giving you a ready-to-use containerized development environment.
+
+## Key benefits
+
+- Pre-configured environment: Docker Desktop, WSL2, and other requirements come pre-installed and configured
+- Consistent development: Ensure all team members work with the same Docker environment
+- Powerful resources: Access more compute power and storage than might be available on local machines
+- State persistence: Dev Box maintains your state between sessions, similar to hibernating a local machine
+- Seamless licensing: Use your existing Docker subscription or purchase a new one directly through Azure Marketplace
+
+## Setup
+
+### Prerequisites 
+
+- An Azure subscription
+- Access to Microsoft Dev Box
+- A Docker subscription (Pro, Team, or Business). You can use Docker Desktop in Microsoft Dev Box with any of the following subscription options:
+   - An existing or new Docker subscription 
+   - A new Docker subscription purchased through Azure Marketplace
+   - A Docker Business subscription with SSO configured for your organization
+
+### Set up Docker Desktop in Dev Box
+
+1. Navigate to the [Docker Desktop for Microsoft Dev Box](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/dockerinc1694120899427.devbox_azuremachine?tab=Overview) listing in Azure Marketplace.
+2. Select **Get It Now** to add the virtual machine image to your subscription.
+3. Follow the Azure workflow to complete the setup.
+4. Use the image to create VMs, assign to Dev Centers, or create Dev Box Pools according to your organization's setup.
+
+### Activate Docker Desktop
+
+Once your Dev Box is provisioned with the Docker Desktop image:
+
+1. Start your Dev Box instance.
+2. Launch Docker Desktop. 
+3. Sign in with your Docker ID.
+
+## Support
+
+For issues related to:
+
+- Docker Desktop configuration, usage, or licensing: Create a support ticket through [Docker Support](https://hub.docker.com/support).
+- Dev Box creation, Azure portal configuration, or networking: Contact Azure Support.
+
+## Limitations
+
+- Microsoft Dev Box is currently only available on Windows 10 and 11 (Linux VMs are not supported).
+- Performance may vary based on your Dev Box configuration and network conditions.

content/manuals/desktop/features/kubernetes.md

@@ -81,14 +81,6 @@ The following table summarizes this comparison.
 | Works with containerd image store | Yes | Yes |
 | Works with Docker image store | Yes | No |
 
-### Additional settings
-
-#### Viewing system containers
-
-By default, Kubernetes system containers are hidden. To inspect these containers, enable **Show system containers (advanced)**.
-
-You can now view the running Kubernetes containers with `docker ps` or in the Docker Desktop Dashboard.
-
 ## Using the kubectl command
 
 Kubernetes integration automatically installs the Kubernetes CLI command
@@ -131,6 +123,104 @@ For more information about `kubectl`, see the
 
 Kubernetes clusters are not automatically upgraded with Docker Desktop updates. To upgrade the cluster, you must manually select **Reset Kubernetes Cluster** in settings.
 
+## Additional settings
+
+### Viewing system containers
+
+By default, Kubernetes system containers are hidden. To inspect these containers, enable **Show system containers (advanced)**.
+
+You can now view the running Kubernetes containers with `docker ps` or in the Docker Desktop Dashboard.
+
+### Configuring a custom image registry for Kubernetes control plane images
+
+Docker Desktop uses containers to run the Kubernetes control plane. By default, Docker Desktop pulls
+the associated container images from Docker Hub. The images pulled depend on the [cluster provisioning mode](#cluster-provisioning-method).
+
+For example, in `kind` mode it requires the following images:
+
+```console
+docker.io/kindest/node:<tag>
+docker.io/docker/desktop-cloud-provider-kind:<tag>
+docker.io/docker/desktop-containerd-registry-mirror:<tag>
+```
+
+In `kubeadm` mode it requires the following images:
+
+```console
+docker.io/registry.k8s.io/kube-controller-manager:<tag>
+docker.io/registry.k8s.io/kube-apiserver:<tag>
+docker.io/registry.k8s.io/kube-scheduler:<tag>
+docker.io/registry.k8s.io/kube-proxy
+docker.io/registry.k8s.io/etcd:<tag>
+docker.io/registry.k8s.io/pause:<tag>
+docker.io/registry.k8s.io/coredns/coredns:<tag>
+docker.io/docker/desktop-storage-provisioner:<tag>
+docker.io/docker/desktop-vpnkit-controller:<tag>
+docker.io/docker/desktop-kubernetes:<tag>
+```
+
+The image tags are automatically selected by Docker Desktop based on several
+factors, including the version of Kubernetes being used. The tags vary for each image.
+
+To accommodate scenarios where access to Docker Hub is not allowed, admins can
+configure Docker Desktop to pull the above listed images from a different registry (e.g., a mirror)
+using the [KubernetesImagesRepository](../../security/for-admins/hardened-desktop/settings-management/configure-json-file.md#kubernetes) setting as follows.
+
+An image name can be broken into `[registry[:port]/][namespace/]repository[:tag]` components.
+The `KubernetesImagesRepository` setting allows users to override the `[registry[:port]/][namespace]`
+portion of the image's name.
+
+For example, if Docker Desktop Kubernetes is configured in `kind` mode and
+`KubernetesImagesRepository` is set to `my-registry:5000/kind-images`, then
+Docker Desktop will pull the images from:
+
+```console
+my-registry:5000/kind-images/node:<tag>
+my-registry:5000/kind-images/desktop-cloud-provider-kind:<tag>
+my-registry:5000/kind-images/desktop-containerd-registry-mirror:<tag>
+```
+
+These images should be cloned/mirrored from their respective images in Docker Hub. The tags must
+also match what Docker Desktop expects.
+
+The recommended approach to set this up is the following:
+
+1) Start Docker Desktop.
+
+2) In Settings > Kubernetes, enable the *Show system containers* setting.
+
+3) In Settings > Kubernetes, start Kubernetes using the desired cluster provisioning method: `kubeadm` or `kind`.
+
+4) Wait for Kubernetes to start.
+
+5) Use `docker ps` to view the container images used by Docker Desktop for the Kubernetes control plane.
+
+6) Clone or mirror those images (with matching tags) to your custom registry.
+
+7) Stop the Kubernetes cluster.
+
+8) Configure the `KubernetesImagesRepository` setting to point to your custom registry.
+
+9) Restart Docker Desktop.
+
+10) Verify that the Kubernetes cluster is using the custom registry images using the `docker ps` command.
+
+> [!NOTE]
+>
+> The `KubernetesImagesRepository` setting only applies to control plane images used by Docker Desktop
+> to set up the Kubernetes cluster. It has no effect on other Kubernetes pods.
+
+> [!NOTE]
+>
+> When using `KubernetesImagesRepository` and [Enhanced Container Isolation (ECI)](../../security/for-admins/hardened-desktop/enhanced-container-isolation/_index.md)
+> is enabled, add the following images to the [ECI Docker socket mount image list](../../security/for-admins/hardened-desktop/settings-management/configure-json-file.md#enhanced-container-isolation):
+>
+> * [imagesRepository]/desktop-cloud-provider-kind:*
+> * [imagesRepository]/desktop-containerd-registry-mirror:*
+>
+> These containers mount the Docker socket, so you must add the images to the ECI images list. If not,
+> ECI will block the mount and Kubernetes won't start.
+
 ## Troubleshooting
 
 - If Kubernetes fails to start, make sure Docker Desktop is running with enough allocated resources. Check **Settings** > **Resources**.

content/manuals/desktop/setup/vm-vdi.md

@@ -64,3 +64,7 @@ Docker Desktop follows the VDI support definitions outlined [previously](#virtua
 ### Support scope and responsibilities
 
 For WSL 2-related issues, contact Nutanix support. For Docker Desktop-specific issues, contact Docker support.
+
+## Aditional resources
+
+- [Docker Desktop on Microsoft Dev Box](/manuals/desktop/features/dev-box.md)

content/manuals/engine/network/_index.md

@@ -160,8 +160,8 @@ Here are some examples:
 >
 > > [!WARNING]
 > >
-> > Hosts within the same L2 segment (for example, hosts connected to the same
-> > network switch) can reach ports published to localhost.
+> > In releases older than 28.0.0, hosts within the same L2 segment (for example,
+> > hosts connected to the same network switch) can reach ports published to localhost.
 > > For more information, see
 > > [moby/moby#45610](https://github.com/moby/moby/issues/45610)
 

content/manuals/engine/network/packet-filtering-firewalls.md

@@ -234,14 +234,14 @@ $ docker run --network=mynet -p 8080:80 myimage
 ```
 
 Then:
-- Only container port 80 will be open, for IPv4 and IPv6. It is accessible
-  from anywhere, if there is routing to the container's address, and access
-  is not blocked by the host's firewall.
+- Only container port 80 will be open, for IPv4 and IPv6.
 - For IPv6, using `routed` mode, port 80 will be open on the container's IP
   address. Port 8080 will not be opened on the host's IP addresses, and
   outgoing packets will use the container's IP address.
 - For IPv4, using the default `nat` mode, the container's port 80 will be
-  accessible via port 8080 on the host's IP addresses, as well as directly.
+  accessible via port 8080 on the host's IP addresses, as well as directly
+  from within the Docker host. But, container port 80 cannot be accessed
+  directly from outside the host.
   Connections originating from the container will masquerade, using the 
   host's IP address.
 

content/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md

@@ -264,14 +264,14 @@ The following `admin-settings.json` code and table provides an example of the re
 
 |Parameter|OS|Description|Version|
 |:-------------------------------|---|:-------------------------------|---|
-|`kubernetes`|  | If `enabled` is set to true, a Kubernetes single-node cluster is started when Docker Desktop starts. If `showSystemContainers` is set to true, Kubernetes containers are displayed in the Docker Desktop Dashboard and when you run `docker ps`.  `imagesRepository` lets you specify which repository Docker Desktop pulls the Kubernetes images from. For example, `"imagesRepository": "registry-1.docker.io/docker"`.  |  |
+|`kubernetes`|  | If `enabled` is set to true, a Kubernetes single-node cluster is started when Docker Desktop starts. If `showSystemContainers` is set to true, Kubernetes containers are displayed in the Docker Desktop Dashboard and when you run `docker ps`. The [imagesRepository](../../../../desktop/features/kubernetes.md#configuring-a-custom-image-registry-for-kubernetes-control-plane-images) setting lets you specify which repository Docker Desktop pulls control-plane Kubernetes images from. |  |
 
 > [!NOTE]
 >
 > When using the `imagesRepository` setting and Enhanced Container Isolation (ECI), add the following images to the [ECI Docker socket mount image list](#enhanced-container-isolation):
 >
-> `<custom-image-repo>/desktop-cloud-provider-kind:*`
-> `<custom-image-repo>/desktop-containerd-registry-mirror:*`
+> * [imagesRepository]/desktop-cloud-provider-kind:*
+> * [imagesRepository]/desktop-containerd-registry-mirror:*
 >
 > These containers mount the Docker socket, so you must add the images to the ECI images list. If not, ECI will block the mount and Kubernetes won't start.